fix escaping issues for file deletion

2025-04-24 17:22:35 +02:00 · 2016-06-30 15:29:23 -07:00 · 2016-06-30 15:29:23 -07:00 · c33a8a86b1
commit c33a8a86b1
parent 80d7536fe1
5 changed files with 17 additions and 3 deletions
--- a/1
+++ b/1
@ -48,6 +48,7 @@ gem 'acme-client', {
  branch: 'no_activesupport'
 }
 gem 'http'
+gem 'htmlentities'

 platform :mri, :rbx do
  gem 'magic' # sudo apt-get install file, For OSX: brew install libmagic
--- a/Gemfile.lock
+++ b/Gemfile.lock
@ -97,6 +97,7 @@ GEM
    hiredis (0.6.1)
    hoe (3.14.2)
      rake (>= 0.8, < 11.0)
+    htmlentities (4.3.4)
    http (2.0.1)
      addressable (~> 2.3)
      http-cookie (~> 1.0)
@ -287,6 +288,7 @@ DEPENDENCIES
  geoip
  hiredis
  hoe (= 3.14.2)
+  htmlentities
  http
  io-extra
  jdbc-postgres
--- a/app/site_files.rb
+++ b/app/site_files.rb
@ -134,10 +134,11 @@ end

 post '/site_files/delete' do
  require_login
-  current_site.delete_file params[:filename]
+  path = HTMLEntities.new.decode params[:filename]
+  current_site.delete_file path
  flash[:success] = "Deleted #{params[:filename]}. Please note it can take up to 30 minutes for deleted files to stop being viewable on your site."

-  dirname = Pathname(params[:filename]).dirname
+  dirname = Pathname(path).dirname
  dir_query = dirname.nil? || dirname.to_s == '.' ? '' : "?dir=#{Rack::Utils.escape dirname}"

  redirect "/dashboard#{dir_query}"
--- a/tests/site_file_tests.rb
+++ b/tests/site_file_tests.rb
@ -69,6 +69,16 @@ describe 'site_files' do
      @site.reload.site_files.select {|f| f.path =~ /#{Regexp.quote '8)'}/}.length.must_equal 0
    end

+    it 'deletes with escaped apostrophe' do
+      upload(
+        'dir' => "test'ing",
+        'files[]' => Rack::Test::UploadedFile.new('./tests/files/test.jpg', 'image/jpeg')
+      )
+      @site.reload.site_files.select {|s| s.path == "test'ing"}.length.must_equal 1
+      delete_file filename: "test'ing"
+      @site.reload.site_files.select {|s| s.path == "test'ing"}.length.must_equal 0
+    end
+
    it 'deletes a directory and all files in it' do
      upload(
        'dir' => 'test',
--- a/views/dashboard.erb
+++ b/views/dashboard.erb
@ -167,7 +167,7 @@
                <a href="?dir=<%= Rack::Utils.escape file[:path] %>"><i class="fa fa-edit" title="Manage"></i> Manage</a>
              <% end %>
              <% if !file[:is_root_index] %>
-                <a href="#" onclick="confirmFileDelete('<%= file[:path].gsub("'", '&apos;') %>')"><i class="fa fa-trash" title="Delete"></i> Delete</a>
+                <a href="#" onclick="confirmFileDelete('<%== file[:path].gsub("'", '&apos;') %>')"><i class="fa fa-trash" title="Delete"></i> Delete</a>
              <% end %>
              <% if file[:is_directory] %>
              <a class="link-overlay" href="?dir=<%= Rack::Utils.escape file[:path] %>" title="View <%= file[:path] %>"></a>